1

I have been testing out strongSwan VPN on a Linux server in a Windows Active Directory domain.

I have managed to get a single-tier PKI with EAP authentication to work, but when I attempt to add a intermediate certificate authority to the setup connecting to the VPN fails.

The VPN and both CA's are Debian 9 boxes.

I have already taken this whole test domain down and I am getting ready to start over from scratch and was wondering if any one had any input on what I might be doing wrong.

Heres the commands I ran to create the CAs and server key pair.

Creating root CA private key:

$ ipsec pki --gen --type rsa --size 4096 --outform pem > ca.key.pem
$ chmod 600 ca.key.pem

Create self-signed certificate:

$ ipsec pki --self --flag serverAuth --in ca.key.pem \ 
  --type rsa --digest sha256 \
  --dn "C=US, O=IT_Testing, CN=VPN Root CA" --ca > ca.crt.der

Create intermediate CA private key:

$ ipsec pki --gen --type rsa --size 4096 --outform pem > intca.key.pem

Generate intermediate CA CSR:

$ ipsec pki --pub --in intca.key.pem --type rsa >  intca.csr

Sign the intermediate CA CSR:

$ ipsec pki --issue --cacert ca.crt.der \ 
  --cakey ca.key.pem --digest sha256 \
  --dn "C=US, O=IT_Testing, CN=INT CA" \
  --san "intca.testdomain.com" --flag serverAuth \ 
  --flag ikeIntermediate --outform pem \
  < intca.csr > intca.crt.pem

Create the VPN server private key and CSR:

$ ipsec pki --gen --type rsa --size 2048 --outform pem > vpn.testdomain.com.key.pem

$ ipsec pki --pub --in vpn.testdomian.com.key.pem --type rsa > vpn.testdomain.com.csr

Sign the VPN server certificate:

$ ipsec pki --issue --cacert intca.crt.pem \ 
  --cakey intca.key.pem --digest sha256 \
  --dn "C=US, O=IT_Testing, CN=vpn.testdomain.com" \
  --san "vpn.testdomain.com" --flag serverAuth --outform pem \
  < vpn.testdomain.com.csr > vpn.testdomain.com.crt.pem

I copy the root CA certificate to /etc/ipsec.d/cacerts, the VPN certificate to /etc/ipsec.d/certs, and the VPN server key to /etc/ipsec.d/private.

I add the line leftcert=/etc/ipsec.d/certs/vpn.testdomain.com.crt.pem to ipsec.conf. As well as point ipsec.secrets to the VPN server's private key.

The rest of the config is the same as the working single-tier pki.

ecdsa
  • 3,973
  • 15
  • 29
0B51D14N
  • 83
  • 2
  • 9

1 Answers1

3

When issuing the intermediate CA certificate make sure you add --ca to the command line to add the CA basicConstraint and actually create a CA certificate.

And don't add the serverAuth and ikeIntermediate flags to it, only add them to the server certificate. ikeIntermediate does not refer to intermediate CA certificates, but IPsec intermediate systems, and it's probably not necessary to add it anymore (it was only defined in a draft and I think only very old version of macOS required it).

Community
  • 1
ecdsa
  • 3,973
  • 15
  • 29